Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
SailPoint Account Activity | ✅ | sailpoint_identitynow_audit_reports_accountactivities | NDJSON | API | |||
SailPoint Events | ✅ | ✅ | sailpoint_identitynow_audit_reports_events | NDJSON | API |
Overview
SailPoint IdentityNow is a modern SaaS-based Identity Security solution that provides a centralized way to see and control every user’s access to resources across hybrid IT environments while ensuring regulatory compliance. IdentityNow has built-in identity best practices that allow simplified administration without the need for specialized identity expertise.
IdentityNow enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential. It supports main use cases like:
Lifecycle Management
Compliance Management
Password Management
Hunters will ingest these data types and run its OOTB detections over them.
Supported data types
Account activity
Table name: sailpoint_identitynow_audit_reports_accountactivities
Refers to actions that IdentityNow took on a third-party source. All account activity corresponds to items in the Events tab in Search, but the entries in Account Activity contain much more detail and are intended to be used for troubleshooting.
Learn more here.
Events
Table name: sailpoint_identitynow_audit_reports_events
A list of all recorded actions taken in your organization. They are intended to be used as audit reports.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from SailPoint using API.
To connect SailPoint logs:
Retrieve the following information from SailPoint:
Host
Client ID
Client Secret
Complete the process on the Hunters platform, following this guide.
Expected format
Account activity Sample
{"requester": {"name": "SYSTEM", "id": "fffffffffff", "type": "Identity"}, "sources": "IdentityNow", "created": "2023-02-22T03:04:28.582Z", "accountRequests": [{"result": {"errors": ["sailpoint.connector.InvalidRequestException: [ InvalidRequestException ] [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000001, errorSummary : Api validation failed: login, errorCauses:[{errorSummary=login: An object with this field already exists in the current organization}]."], "status": "failed"}, "op": "Create", "provisioningTarget": {"name": "Okta", "id": "555555555555", "type": "OpenConnectorAdapter"}, "source": {"name": "Okta", "id": "88888888888", "type": "OpenConnectorAdapter"}, "attributeRequests": [{"op": "Add", "name": "groups", "value": "XXXXXXXXX"}, {"op": "Add", "name": "login", "value": "abc@test.com"}, {"op": "Add", "name": "email", "value": "abc@test.com"}, {"op": "Add", "name": "firstName", "value": "Jon"}, {"op": "Add", "name": "lastName", "value": "Smith"}, {"op": "Add", "name": "activate", "value": true}]}, {"result": {"status": "IdentityNow Task"}, "op": "Modify", "provisioningTarget": {"name": "IdentityNow", "id": "IDN"}, "source": {"name": "IdentityNow", "id": "IDN"}, "attributeRequests": [{"op": "Add", "name": "assignedRoles", "value": "Data Science"}]}], "stage": "Completed", "originalRequests": [{"result": {"status": "Manual Task Created"}, "op": "Modify", "source": {"name": "IdentityNow", "id": "IDN"}, "attributeRequests": [{"op": "Add", "name": "assignedRoles", "value": "LDAP Dummy Assignment to Inactive"}, {"op": "Add", "name": "assignedRoles", "value": "ldap test remove"}, {"op": "Add", "name": "assignedRoles", "value": "Inactive"}, {"op": "Add", "name": "assignedRoles", "value": "Data Science"}]}], "expansionItems": [{"attributeRequest": {"op": "Add", "name": "groups", "value": "XXXXXXXXX"}, "name": "Data Science", "cause": "Role", "source": {"name": "Okta", "id": "7777777777777777", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Add", "name": "login", "value": "test@test.test1.com"}, "name": "login", "cause": "ProvisioningPolicy", "source": {"name": "Okta", "id": "77777777777", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Add", "name": "email", "value": "test@test1.test1.com"}, "name": "email", "cause": "ProvisioningPolicy", "source": {"name": "Okta", "id": "11111111111", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Add", "name": "firstName", "value": "John"}, "name": "firstName", "cause": "ProvisioningPolicy", "source": {"name": "Okta", "id": "666666666", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Add", "name": "lastName", "value": "Bob"}, "name": "lastName", "cause": "ProvisioningPolicy", "source": {"name": "Okta", "id": "555555555", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Add", "name": "activate", "value": "true"}, "name": "activate", "source": {"name": "Okta", "id": "6666666111111", "type": "OpenConnectorAdapter"}}, {"attributeRequest": {"op": "Create"}, "source": {"name": "Okta", "id": "556506560565905", "type": "OpenConnectorAdapter"}}], "recipient": {"name": "jon", "id": "465605659500059544", "type": "Identity"}, "action": "Identity Refresh", "modified": "2023-02-22T03:04:29.356Z", "id": "55555555", "trackingNumber": "999999999", "errors": ["sailpoint.connector.InvalidRequestException: [ InvalidRequestException ] [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000001, errorSummary : Api validation failed: login, errorCauses:[{errorSummary=login: An object with this field already exists in the current organization}]."], "status": "Incomplete", "pod": "prd01-useast1", "org": "test", "synced": "2023-02-22T03:04:29.738Z", "_type": "accountactivity", "type": "accountactivity", "_version": "v7"}
Events Sample
{"org": "test", "pod": "prd01-useast1", "created": "2022-12-20T23:38:00.563Z", "id": "ddddddddddddddddddddd", "action": "ModifyAccount", "types": "PROVISIONING", "actor": {"name": "System"}, "target": {"name": "john"}, "stack": "wps", "trackingNumber": "eeeeeeeeee", "attributes": {"cloudAppName": "Okta", "provisioningResult": "committed", "appId": "aaaaaaaaaaa", "accountUuid": "null", "operation": "Set", "previousValue": "04/06/2020", "sourceId": "source-1412364", "sourceName": "Okta", "accountName": "ddddddd", "interface": "Attribute Synchronization Refresh", "attributeName": "hireDate", "attributeValue": "null"}, "objects": ["ACCOUNT"], "operation": "MODIFY", "status": "PASSED", "technicalName": "ACCOUNT_MODIFY_PASSED", "name": "Modify Account Passed", "synced": "2022-12-20T23:38:00.769Z", "_type": "event", "_version": "v7"}